90
votes
How to extract the Root CA and Subordinate CA from a certificate chain in Linux?
tl;dr - one liner bash magic to dump all certs in the chain
openssl s_client -showcerts -verify 5 -connect wikipedia.org:443 < /dev/null |
awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN ...
- 1,103
89
votes
Accepted
How to export CA certificate chain from PFX in PEM format without bag attributes
The solution I finally came to was to pipe it through sed.
openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key>
...
- 2,287
88
votes
Accepted
Using `openssl` to display all certificates of a PEM file
The openssl command (specifically, its openssl x509 subcommand, among others) is polite with its data stream: once it reads data, it doesn't read more than it needs.
This allows to chain multiple ...
- 39.5k
36
votes
Installing certificates on arch
Use the trust command provided by the p11-kit package:
sudo trust anchor --store ~/my-ca-cert.crt
- 461
31
votes
Is it possible to have APT accept an "invalid" certificate?
For a temporary solution you can do:
apt -o "Acquire::https::Verify-Peer=false" update
apt -o "Acquire::https::Verify-Peer=false" install curl
- 411
28
votes
Accepted
update-ca-trust extract not adding certificates to ca-bundle
TL;DR
The update-ca-trust won't extract your certificate file to the ca-bundle.crt unless this succeeds:
openssl x509 -noout -text -in <cert_file> | grep --after-context=2 "X509v3 Basic ...
- 538
27
votes
How to export CA certificate chain from PFX in PEM format without bag attributes
Another solution without sed:
openssl pkcs12 -in <filename.pfx> -nocerts -nodes | openssl pkcs8 -nocrypt -out <clientcert.key>
openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | ...
- 431
24
votes
Using `openssl` to display all certificates of a PEM file
Seems like PEM format is not handled very well with more than one certificate. Based on this answer:
openssl crl2pkcs7 -nocrl -certfile cert.pem | openssl pkcs7 -print_certs -text -noout
it first ...
- 19.5k
20
votes
Accepted
Adding a root certification authority to a java application
Simply copy your certificate files to this directory on CentOS 7.x:
$ sudo cp <cert file> /etc/pki/ca-trust/source/anchors/
Once the certificate files put into this directory, run this command ...
slm♦
- 380k
16
votes
Generating duplicate certificates with OpenSSL CA
In the same folder as your database (the index.txt file) create a file index.txt.attr and add the following:
unique_subject = no
If you're unsure where your database file is located, check the ...
- 35k
16
votes
How to permanently add self-signed certificate in Firefox?
Easy URL to test: https://self-signed.badssl.com/
There are two ways:
toggle Firefox to set server certificates added as Lifetime Permanent by default
in about:config toggle security.certerrors....
- 39.5k
14
votes
Unable to locally verify the issuer's authority
I was having a similar error with https://excellmedia.dl.sourceforge.net/project/astyle/astyle/astyle%203.0.1/astyle_3.0.1_linux.tar.gz on a docker image(circleci/jdk8:0.1.1),
In my case upgrading ca-...
13
votes
Apache: I have lost my private.key, is it possible to re-create it from certificate.crt?
No, it is not possible to generate the private.key file from the certificate.crt file. You will need to generate a new key and a new certificate, if the below does not apply to you.
You may ask your ...
- 17.4k
13
votes
Accepted
Is it possible to install a custom CA certificate without the ca-certificates package on Debian?
update-ca-certificates is actually a shell script. You could just read it and adapt parts of it to your needs.
In a nutshell: when update-ca-certificates adds a certificate, it creates a symbolic link ...
- 114k
12
votes
Accepted
CA certificates location in Ubuntu 18.04
Should be /etc/ssl/certs/ or /etc/ssl/certs/ca-certificates.crt.
http://manpages.ubuntu.com/manpages/bionic/man8/update-ca-certificates.8.html
Note this store is not necessarily used consistently by ...
- 53.5k
12
votes
Accepted
How to add a local CA authority on an air-gapped host of Debian
Create a directory under /usr/local/share/ca-certificates with the name of your choosing, and place the public CA certificate of your CA server into it in PEM format, as a *.crt file. Then run update-...
- 114k
11
votes
Adding a self-signed certificate to the "trusted list"
In centos:
cp *.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
- 111
11
votes
how to make Gnu/Linux trust a certificate that's trusted by Windows out-of-the-box?
The real fix for this is to ensure that your server presents all certificates in the chain and not just the end-entity (server) certificate.
Point your server administrator to RFC 5246 Section 7.4.2 ...
- 35k
11
votes
Accepted
Listing installed certificates in alpine
The /etc/ssl/certs/ca-certificates.crt is a long text file of concatenated certificates, each in PEM format. To view details of each one, you need something like:
openssl crl2pkcs7 -nocrl -certfile /...
- 35k
11
votes
Accepted
Where are the intermediate CA certificates?
You misunderstand how certificates are used.
The ones you see are the trust-anchors. These are the root CAs which you (or your OS, or your OS's developers) trust.
When you use connect to a remote ...
- 35k
9
votes
script to check if SSL certificate is valid
If you need to check expiry date, thanks to this blog post, found a way to find this information with other relevant information with a single call:
echo | openssl s_client -servername unix....
- 191
9
votes
Adding a self-signed certificate to the "trusted list"
Non Interactive Approach (Oct'18)
for recent debian based systems
There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An ...
- 211
9
votes
Accepted
OpenSSL fetches different SSL certificate than the one obtained via a browser
Why is OpenSSL fetching a different certificate?
s_client by default does not send SNI (Server Name Indication) data but a browser does. The server may choose to respond with a different certificate ...
- 331
9
votes
Accepted
What certificate format does /usr/local/share/ca-certificates accept?
Certificates are added to the CA certificate database using the update-ca-certificates command. This is a shell script that scans the source certificate directories and adds any certificates found to ...
- 35k
9
votes
Accepted
How to add a custom root certificate MS Edge on Linux
MS Edge is a Chromium based browser and uses a similar private store as Chromium. Edge uses a keystore in ~/.pki and you need the certutil utility program.
For Ubuntu and Debian:
sudo apt install ...
- 330
8
votes
How to verify that ssh certificate was signed by specified ssh CA private key?
To remotely obtain ssh host certificate(s), you can use ssh-keyscan -c <hostname> (without the -c option, you will only get the host key(s)). To limit to a specific certificate type, you can ...
- 506
8
votes
Can't connect to remote server using RDP remmina after upgrade
I've found the solution @Ubuntu forums, that forked for me :)
You have to change the Security to "TLS" in the Advanced tab of your connection, and everything works fine!
- 89
8
votes
Can't connect to remote server using RDP remmina after upgrade
I had the same problem on debian sid with latest remmina 1.2.32.1 while connecting to a windows server2008r2 with hardend security settings.
I was able to connect after:
updating all freerdp2 ...
- 261
8
votes
Accepted
Ansible get a list of certification files and check their expiration date
Ok... it took me a while to figure out why your debug result was inconsistent with my tests. You have an error there:
- debug: msg= "{{ result }}"
should be (notice the space that is gone)
-...
- 787
Only top scored, non community-wiki answers of a minimum length are eligible